Iris's smartphone beeped. Frowning, she glanced at the screen, expecting to see another junk e-mail. "We've really got to do something about the spam!" she muttered to herself. She scanned the header of the message. "Uh-oh!" Glancing at her watch and then looking at her incident response pocket card, Iris dialed the home number of the on-call systems administrator.
When he answered, Iris asked "Seen the alert yet? What's up?" "Wish I knew-some sort of virus," the SA replied. "A user must have opened an infected attachment." Iris made a mental note to remind the awareness program manager to restart the refresher training program for virus control. Her users should know better, but some new employees had not been trained yet. "Why didn't the firewall catch it?" Iris asked. "It must be a new one," the SA replied. "It slipped by the pattern filters."
"What are we doing now?" Iris was growing more nervous by the minute. "I'm ready to cut our Internet connection remotely, then drive down to the office and start our planned recovery operations-shut down infected systems, clean up any infected servers, recover data from backups, and notify our peers that they may receive this virus from us in our e-mail. I just need your go-ahead." The admin sounded uneasy. This was not a trivial operation, and he was facing a long night of intense work. "Do it," Iris said.
"I'll activate the incident response plan and start working the notification call list to get some extra hands in to help." Iris knew this situation would be the main topic at the weekly CIO's meeting. She just hoped her team would be able to restore the systems to safe operation quickly. She looked at her watch: 12:35 a.m.
Discussion
1. What can be done to minimize the risk of this situation recurring? Can these types of situations be completely avoided?
2. If you were in Iris's position, once the timeline of events has been established, how would you approach your interaction with the second-shift operator?
3. How should RWW go about notifying its peers? What other procedures should Iris have the technician perform?
4. When would be the appropriate time to begin the forensic data collection process to analyze the root cause of this incident? Why?